In today’s sophisticated threat landscape, ransomware is seemingly everywhere, impacting both organisations and individuals alike. But how did ransomware as we know it today come to be?
Aamir Lakhani, lead researcher and cyber security expert at Fortinet, examines the history of ransomware, starting in 1989, and explains how these threats are still looming today.
History of ransomware: A timeline
Ransomware is a type of malware designed to encrypt files on a victim’s computer until a ransom is paid. It makes its way onto devices and networks through infected emails, websites, or programs. It also occasionally threatens not just continued encryption of data, but also the release of sensitive data to the public if the ransom is not paid.
Over the years, ransomware has grown and now contributes to a booming cyber-crime business, often targeting large sectors, including healthcare, the legal sector, education, finance, and manufacturing. According to the H2 2020 Fortinet Global Threat Landscape Report, by the end of 2020, there were as many as 17,200 devices reporting ransomware each day.
Moreover, ransomware revenue in 2020 grew by 311% from 2019 to reach an estimated $350 million, according to a Chainanalysis report.
1989 AIDS Trojan: The first ransomware attack
The very first ransomware attack targeted the healthcare industry in 1989. An AIDS researcher gave out 20,000 infected floppy disks to those who attended the World Health Organisation’s AIDS conference. This attack was called the AIDS Trojan but was also known as the PC Cyborg virus, named after the fictitious name of the company demanding payment: PC Cyborg Corporation.
The distributed disks contained a program for analysing a person’s risk of getting AIDS, as well as malware that activated after an infected computer was powered on 90 times. After the 90th time, the malware hid directories and encrypted the names of all files on the C drive while displaying a message demanding payment.
In the years that followed, similar attacks appeared, and the birth of the internet paved the way for new cyber-crime opportunities, but ransomware remained a relatively minor threat until the turn of the century.
The internet age opens the door: GPCode and archiveus trojan
It was in the early 2000s that internet use in the developed world surpassed 50%. By around 2005, dial-up internet was falling by the wayside as broadband became the norm. With so many people using fast and reliable internet access, the ground was fertile for new ransomware.
2006 saw the release of the Archiveus Trojan, which was the first ransomware to use RSA encryption. This trojan encrypted everything in the MyDocuments directory for PC users and required victims to purchase items from an online pharmacy in order to get a 30-digit key code that would unlock their files.
That same year, GPcode ransomware infected PCs through spear-phishing attacks in the form of email attachments that looked like job applications. Similar to Archiveus, GPcode used a 660-Bit RSA public key to encrypt files in a computer’s MyDocuments directory, and victims had to pay a fee to get that key. From then on, ransomware gained steady momentum.
Ransomware scales up: winLock trojan unleashed
The year 2008 saw the invention of Bitcoin, a decentralised digital currency allowing for peer-to-peer transactions. This currency first came into use in 2009 and has been growing in popularity ever since. It is precisely the decentralised nature of this currency that allows it to be used on the dark web and for illegal activities. Now that ransomware attackers could demand payment in a form that couldn’t be traced back to them, they became emboldened.
About 30 000 new ransomware samples were detected in each of the first two quarters of 2011. This number doubled in the third quarter and continued to grow. Among the major players on the ransomware scene around this time was Trojan.WinLock, which was new in that it locked down entire systems instead of files. WinLock targeted Windows operating systems, locking users out until they bought a key.
By the end of 2012, ransomware had a black market value of $5 million and was getting more and more innovative. Around this time, law enforcement ransomware scams began to appear; in these scenarios, malware would be attached to emails from actors posing as different law enforcement agencies, which scared many people into falling victim.
Emergence of ransomware-as-a-service
Within the last decade, the continued growth of this threat was further enabled by a new market offering known as Ransomware-as-a-Service (RaaS), which allowed bad actors to purchase premade ransomware tools. This meant that they didn’t need as much technical know-how to get in on this cyber-crime business.
Zeus, a trojan horse malware package first identified in 2007, made its biggest splash when it was used to install CryptoLocker ransomware. The CryptoLocker ransomware attack occurred between 2013 and 2014, propagated by infected email attachments and via the Gameover Zeus botnet.
Other large-scale attacks, including CryptoWall and Locky, also appeared shortly afterward. Many of these threats now fall under the category of advanced persistent threats (APT), meaning that they are built for stealth and persistence, making them especially difficult to detect and remove.
Attacks go global in 2017 with wannacry and petya
In 2017, ransomware attacks were becoming more large-scale, attacking computers around the world all at once. One of these exploits, which became the biggest and most famous in history, was the Wannacry ransomware attack in May of 2017 – this targeted Windows operating systems, encrypting data and demanding bitcoin payment.
Though emergency patch releases mitigated the attack within a few days, it infected more than 200,000 computers across 150 countries, with damages running into the billions of dollars.
Around the same time, a family of encrypting malware called Petya appeared on the scene. In June 2017, a new Petya variant called NotPetya resulted in a significant global cyberattack, with infections reported in Russia, Ukraine, France, Germany, Italy, Poland, the UK, and the US. Ukraine was hit the hardest, with over 1,500 individuals and legal entities – including financial institutions – reporting having been attacked.
Big game hunting and modern cyber-crime business models
This brings us to the modern era and a cyber-crime landscape in which many bad actors now operate as large, distributed businesses, complete with call centers to handle ransom payments. Many such organisations now target large corporations and industries or high-profile individuals to get the best payouts – a strategy known as “Big Game Hunting” (BGH).
Just one example of a large and lucrative cyber-criminal operation is the group known as Sodinokibi (aka REvil), which uses a RaaS business model and recruits affiliates to distribute their ransomware. Their exploits include stealing nearly a terabyte of data from a large law firm and demanding a ransom to not publish it.
Recently, cybercriminals known as DarkSide gained access to the US Colonial Pipeline network in a ransomware attack. This shows the stakes continue to climb and the criticalness of attacks is high.
Final thoughts
In today’s modern world, the cyber threat landscape continues to grow more complex and sophisticated. Attempted attacks and data breaches are inevitable, and no organisation wants to be faced deciding between paying a ransom or losing important data.
With this in mind, organisations must approach cybersecurity and threat protection with the latest technologies to stay one step ahead of bad actors. Comprehensive solutions that cover all parts of a distributed network in an integrated way, such as the Fortinet Security Fabric platform, can go a long way in attack prevention and mitigation.